Knowledge BaseRelease NotesRequest Demo

SentinelOne Logs

Connecting SentinelOne Cloud Funnel logs to your Panther Console

Overview

Panther supports ingesting the following log types from SentinelOne:

  • Activity logs

    • SentinelOne Activity logs capture a multitude of events that occur in your network, including threat management events like Custom Rules - New Alert and User Marked Application As Threat, as well as administrative operations like Agent Request Uninstall and User 2FA Modified.

    • Panther pulls Activity logs from the /web/api/v2.1/activities endpoint in the SentinelOne API. This /activities endpoint is available on all paid SentinelOne plans.

    • To ingest these logs, follow the instructions in How to onboard SentinelOne API Activity logs to Panther, below.

  • Deep Visibility 2.0 logs

How to onboard SentinelOne API Activity logs to Panther

The instructions below apply to SentinelOne API Activity logs. For instructions on how to onboard SentinelOne Cloud Funnel logs, see the next section: How to onboard SentinelOne Deep Visibility logs to Panther.

Step 1: Create a SentinelOne Service User and API token

You will need an API Token from a Service User that has the Viewer role in your SentinelOne account. If you already have an API Token from a Service User, you may skip this step.

  1. In the left-hand navigation bar of your SentinelOne Dashboard, click Settings.

  2. At the top of the Settings page, click the Users tab.\

    In SentinelOne, the Settings icon is highlighted in the left sidebar menu and the "Users" tab is circled at the top.

  3. On the left side of the Users page, click Service Users.

  4. Click the Actions dropdown, then click Create New Service User.\

    On the Settings page, "Service Users" is highlighted on the left. The Actions dropdown menu is expanded, and the "Create New Service User" option is highlighted.

  5. On the Create New Service User page, enter a name and a description, choose an expiration date, then click Next.\

  6. On the "Select Scope of Access" page, configure the following:

    • Access Level: Account

    • Account selected: Ensure you have selected the correct account and that the role is set to Viewer\

  7. Click Create User.

  8. Copy the API Token and store it in a secure location, as you will need to provide to Panther in the next part of the log source onboarding process.\

Step 2: Create a new SentinelOne API source in Panther

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search for “SentinelOne API,” then click its tile.

  4. In the slide-out panel, click Start Setup.

  5. Configure the SentinelOne API source:

    • Name: Enter a descriptive name for the source, e.g., SentinelOne API.

    • SentinelOne API Organization: Enter the subdomain of your SentinelOne account. To find this value, log in to your SentinelOne Dashboard and copy the subdomain from the URL.

      • For example, if your dashboard URL is https://example-domain.sentinelone.net/dashboard, your subdomain would be example-domain.

    • API Token: Enter the token of your Service User that you copied in the previous steps of this documentation.\

      On the Configuration page of the SentinelOne API source setup flow, there are fields for Name, SentinelOne API organization, and API Token.

  6. Click Setup. You will be directed to a success screen:\

    The success screen reads, "Everything looks good! Panther will now automatically pull & process logs from your account"

    • You can optionally enable one or more Detection Packs.

    • The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.\

      The "Trigger an alert when no events are processed" toggle is set to YES. The "How long should Panther wait before it sends you an alert that no events have been processed" setting is set to 1 Day

How to onboard SentinelOne Cloud Funnel Deep Visibility logs to Panther

Prerequisite

  • You have created a cloud storage entity.

    • If you are using AWS S3, configure it according to the SentinelOne documentation found at [SentinelOne Domain]/docs/en/how-to-configure-your-amazon-s3-bucket.html.

Step 1: Create a new SentinelOne Cloud Funnel 2.0 source in Panther

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search for “SentinelOne Cloud Funnel 2.0,” then click its tile.

    • In the slide-out panel, the Transport Mechanism dropdown in the upper right corner will be pre-populated with the AWS S3 Bucket option.

  4. In the slide-out panel, click Start Setup.

  5. Follow Panther’s documentation for configuring AWS S3 as a Data Transport.

Step 2: Enable Cloud Funnel streaming

  • Follow the SentinelOne documentation on how to enable Cloud Funnel streaming to your cloud storage location, found at [SentinelOne Domain]/docs/en/how-to-enable-cloud-funnel-streaming.html#how-to-enable-cloud-funnel-streaming.

Supported log types

SentinelOne.Activity

Activity events from the SentinelOne API.

SentinelOne.DeepVisibility2

Deep Visibility 2.0 events from the SentinelOne services.

PreviousSalesforce Event MonitoringNextSlack Logs

Last updated

Was this helpful?